Jeff Klemme, Principal Architect & David Woodard, Principal Architect
There are two different builds of the Java Development Kit. Both are owned by Oracle, but one (OpenJDK) is licensed using an open-source model and the other (Oracle JDK or Oracle Java SE) requires a license from Oracle if you want to continue its use commercially. If you are currently using Oracle Java SE, and don’t already have an existing Oracle Java SE subscription or Java support contract, now is the time to get educated about your options and determine the Oracle Java footprint within your business. Hopefully this article will help you better understand what is changing regarding the licensing of Java SE and how it may affect your business.
What Changed with Java Licensing?
First of all, let us note that we are not attorneys, and what follows is a technical review of Oracle’s new Java licensing terms, not legal advice. As always, you should confer with your legal counsel when reviewing and/or agreeing to contractual terms.
In the past, both OpenJDK and Oracle JDK were licensed under the same Binary Code License, which included a combination of both free and paid commercial terms. However, starting with Java 11 (the most recent version), Oracle changed to using the “GNU General Public License v2, with the Classpath Exception (GPLv2+CPE)” license for OpenJDK and a commercial license (Java SE Subscription or Java SE Desktop Subscription) for Oracle JDK.
You can continue to use previous versions of Java under the license terms which were provided to you, however the new licensing model applies to Java 8 updates starting in April 2019. At the end of January 2019, Oracle stopped posting Oracle Java SE 8 updates and patches to its public download site for commercial use. Going forward, commercial users of Oracle Java SE will need to access new versions, as well as updates and patches of supported versions through My Oracle Support, which requires a Java SE Subscription and/or a Java SE Desktop Subscription.
It appears as though Oracle intends to have “feature releases” of the JDK every six months. For OpenJDK, each feature release will supersede the previous release. This is also true for the Oracle JDK, except that every three years, Oracle will designate a release for Long-Term Support (LTS), which will support that LTS release for an extended period of time. The LTS releases of Oracle JDK will be for those organizations that want a supported version, but don’t want (or need) to upgrade every six months.
How does this affect my Oracle licensing?
Any commercial use of Oracle JDK (Java SE), requires you to purchase a Java subscription with Oracle or switch your applications to OpenJDK. There are a few exceptions to this rule however, which include:
- You have an existing support contract for Oracle Java SE Advanced, Oracle Java SE Advanced Desktop, Oracle Java SE Suite, and/or Java SE Support.
- Oracle has indicated that if you are using a supported Oracle product which requires Java SE, you can continue to access to Oracle Java updates, as required by that Oracle product, for the use of the supported Oracle product, at no additional cost. See My Oracle Support Note 1557737.1 for more details.
- If you have a third party application requiring Oracle JDK and Oracle JDK is licensed by that application vendor. You need to check with the application vendor as to any bundled or installed Java components that come with their application. We have already heard of cases where application vendors are starting to remove the Java components from their installation process and are requiring the customer to download and license (if necessary) the appropriate JDK separately. Additionally, some vendors are switching to delivering OpenJDK with their software. NOTE: you should not switch to OpenJDK from Oracle JDK for a third party application unless the vendor has certified OpenJDK for use with their product, and will still support you when running on OpenJDK.
- You are on Java 8 and have no plans to upgrade or patch beyond the January 2019 update. For many this is most likely not a valid option, as having an unpatched Java implementation would be flagged as a security risk in most, if not all, security scans.
How is it licensed?
Oracle Java SE licenses can be purchased by processor (Java SE Subscription) or by Named User Plus (Java SE Desktop Subscription) as noted in Oracle’s Oracle Java SE Subscription Global Price List. Like other Oracle products, the Java SE Subscription price list refers to the Processor Core Factor Table for calculating the number of processors for the processor-based model. However, this is a price list, not a contract. Therefore, you need to review the actual contract at the time of purchase to ensure that it references the Core Factor Table.
Also, it is important to note that the Oracle Java SE Subscription Global Price List [1] contains a bit of a contradiction between the name of the desktop license and the licensing metric. The product name is “Java SE Desktop Subscription” while the licensing metric is listed as “Named User Plus”. A desktop is a device, but a user is a person. There is a Definitions section in the price list, which provides the Oracle standard Named User Plus definition:
Named User Plus: is defined as an individual authorized by you to use the programs which are installed on a single server or multiple servers regardless of whether the individual is actively using the programs at any given time. …
But it also notes that “For the purposes of the following Program: Java SE Desktop Subscription, the term “server” refers to a desktop computer.” So, it appears that the Desktop/NUP license is actually a license by user, and one user can access multiple desktop computers under that license. But it also appears that the Desktop/NUP license is only for desktop computers (a term that is not actually defined), which would seem to preclude the use of Desktop/NUP licenses for virtual desktops hosted on servers, such as VMware’s VDI. Again, we note, this is a price list, not a contract. As such, you need to review the actual contract at the time of purchase with your legal counsel to determine the actual rights granted.
Recommendations
As with Oracle’s other core technologies and applications, the new Java licensing model provides Oracle with the means for auditing your use of Java software. House of Brick strongly recommends getting your arms around the Java usage in your organization before Oracle takes advantage of their new audit path. We suggest taking the following steps to help with this discovery process:
- Attempt to identify all Java installations on servers and desktops. This can be a daunting task, but is a vital step in determining the overall Java footprint. Some suggestions for identifying Java installations:
– Determine if existing security scans identify Java installations and versions
– For Linux, search the entire directory structure for programs named “java”
– For Windows, search the Registry for “java” and/or review the list of Installed Programs
– For Windows, search the file system for “java.exe”
This is by no means an exhaustive list of ways to find Java installations. Some products include Java when you unzip a downloaded installation file, and these kind of situations make discovery of Java installations the most difficult part of determining your licensing needs.
- Contact third party application vendors whose applications require Oracle JDK. Determine if they are providing the Java license and if they are, get that in writing. If they do not provide the Java license, ask if their application is certified for use with OpenJDK.
- For Oracle JDK installed as part of another supported Oracle product, try to verify that it is not being used outside of that supported Oracle product.
- Create an approval process or limit users’ ability to download software from Oracle. Having a controlled download process can help manage where Oracle software gets installed.
Conclusion
This blog is intended to give you an overview of the new Oracle Java licensing requirements and an idea of what they may mean for you. We expect to blog more on this topic, so please share any questions you may have, or things you have seen when working through this issue at your company.
[1] Content copyright of Oracle Corporation